Attackers behind a massive espionage malware campaign that went undetected for five years relied in part on a vulnerability in the widely deployed Java software framework to ensnare their victims, a security researcher said.

The unknown attackers infected computers operated by the Russian Federation, Iran, the US, and at least 36 other countries. They used highly targeted malware to collect what's believed to be hundreds of terabytes of sensitive data, according to researchers from antivirus provider Kaspersky Lab. The success of the covert operation is largely the result of malware and phishing e-mails that were highly customized for each victim.

Now, Aviv Raff, CTO of Israel-based Seculert, said he has uncovered a website used to infect some of the victims of Operation Red October (as the campaign has been dubbed). The website exploited a critical Java vulnerability identified as CVE-2011-3544, allowing the attackers to surreptitiously execute malicious code on visitors' computers. Although Oracle developers patched the bug in October of 2011, the malicious Java archive file was compiled the following February.

Raff's discovery provides a window into the inner workings of an espionage campaign that collected passwords, cryptographic keys, and sensitive diplomatic intelligence from some of the world's biggest governments. They include a pseudo-randomly generated unique ID the malicious executable assigned to each newly infected computer.

The website used to infect Red October victims shares at least one characteristic with a command and control server operated by the attackers behind Flame, the espionage malware that targeted computers in Iran. As previously reported by Ars, the Flame servers were designed to look like a news website, an approach that was also adopted by the people who built the site that exploited the Java vulnerability. Raff said he didn't know if the similarity was a connection between the two pieces of malware or a mere coincidence.

Raff's discovery was in part aided by oversights made by the people who set up or maintained the attack website. At some point, the site stopped executing the malicious code when people visited the address that hosted it. Instead, the page began displaying the source code for the PHP script, giving the world a rare peak inside the espionage campaign. The source code leakage isn't the only apparent mistake that has helped researchers uncover the Red October campaign. Attackers also allowed the several command and control domain names hardcoded into the malware to remain unregistered. The omission allowed Kaspersky researchers to obtain the Internet addresses so they could be observed as commandeered machines reported for updates.

Raff remained unfazed by the apparent mistakes.

"Attackers are humans, after all," he explained. "They tend to make mistakes. It doesn't mean they are more sophisticated or less sophisticated. This specific mistake helps us understand how the attack worked."

Promoted Comments

I think it's partly (for some value of partly) because Microsoft has massively improved their coding practices. Other vendors were slower to get running. Adobe ended up working with Microsoft to get on the right track WRT to writing secure code.

Thank god we don't get the C style mistakes anymore. For awhile some of the updates made MS look totally incompetent. then again those mistakes are still present on some other OS that will go nameless, as I don't want to offend their superior developers who don't make mistakes!